Skip Ribbon Commands
Skip to main content

Incident Response Plan Minimize Damage with a Plan that Steps into the Breach


​Your IT manager reports that your network has experienced a breach. Does your team know what immediate steps to take?

Too many small and mid-size real estate and construction companies have no protocol in place to deal with a cyber breach — even though the likelihood of a successful attack is almost assured.

When cyber criminals manage to penetrate defences, damage control is typically ad hoc and sometimes chaotic, which can lead to more damage and higher costs. In fact, a deficient response to a breach often causes more harm than the incident itself. Given the average cost of a data breach is now about $4 million according to a global study, every management team should have a response plan ready to launch when needed.

If your operations or properties have intelligent control systems, a plan is imperative. Not only could a breach lead to loss of finances and reputation, it could also compromise personal safety. For example, during a recent penetration test (an authorized, simulated cyber strike), testers gained control of a client's computer workstations. These stations have the capability of creating physical card keys. If this had been a true breach, a cyber criminal could have easily encoded and printed access cards to gain entry to tenants' offices.

At some point, virtually every business will experience a successful cyber attack, regardless of its level of protection. In a global survey of IT security decision makers and practitioners across a range of industries, 82% of respondents in Canada reported their network had been compromised during the past year.

It's crucial to prepare for this eventuality. Minimizing catastrophic consequences requires the ability to rapidly deploy an incident response plan that sets out a coordinated approach to mitigate damage. This plan is an integral component of a proactive, risk-based approach to security that includes multiple layers of cyber defences to identify, protect, detect, respond and recover in a controlled, efficient way.

Developing this plan does not have to be time-consuming or complicated. But it does require the support of senior executives and active participation from across the organization.

You can assemble an internal team to develop this plan or seek guidance from experienced external professionals. Here are the key components.

Incident response team – this group is responsible for coordinating analysis and response to security breaches. Members should comprise both internal stakeholders as well as external resources who can be called upon when needed.

Internal representatives generally encompass a cross-section of individuals from business units such as senior management, IT, finance, communications and human resources. External members might include legal counsel, law enforcement, cyber security specialists, forensic experts and public relations professionals.

While the specific steps the team follows will vary according to each incident, guidelines and responsibilities should be established for the following major phases of the incident response process.

Triage – what steps should we to take to validate the occurrence of a breach and if so, the type and magnitude of the problem?

Contain – what do we need to do to isolate the problem and prevent escalation or to mitigate the impact of the breach?

Analyze – what steps should we take to determine the cause of the breach and to prioritize appropriate actions?

Gather evidence – how should we maintain a log of events, actions and evidence for potential regulatory, law enforcement and forensic investigations?

Remediate – what steps are required to resolve the issue, restore operations and remedy vulnerabilities to prevent a recurrence?

Communicate – what are our internal and external communication needs and how will we address these?

Lessons learned – how will we integrate what we learned into future response planning?

Once guidelines have been established, the plan must be embedded into the organization by distributing it widely and providing relevant communications and training.

Finally, test the cyber incident response plan on a regular basis, at least annually, or when there is major organizational change. Conducting simulated security breaches will test and improve your team's response — before a true cyber breach tests it for you.

Trac Bo, CPA, CA, CISA, CRISC, ABCP, CGEIT, is the National Technology Risk Services Leader of MNP. Contact Trac at 403.263.3385 ext. 8396 or [email protected].

This is the final article in a series featuring MNP perspectives on cyber security for Canada's real estate and construction companies. Other articles reviewed essential components of a strong security posture, including maturity and threat analyses, penetration testing, and managed services.